The hypothesis is that the detection identifies potential KINS dropper activity through the presence of specific protocol matches, process injection, and a Windows exploit, which are indicative of adversary efforts to establish persistence and execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware deployment attempts that may evade traditional detection methods.
YARA Rule
rule KINS_dropper : dropper {
meta:
author = "AlienVault Labs [email protected]"
description = "Match protocol, process injects and windows exploit present in KINS dropper"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "tid=%d&ta=%s-%x" fullword
$n2 = "fid=%d" fullword
$n3 = "%[^.].%[^(](%[^)])" fullword
// Injects
$i0 = "%s [%s %d] 77 %s"
$i01 = "Global\\%s%x"
$i1 = "Inject::InjectProcessByName()"
$i2 = "Inject::CopyImageToProcess()"
$i3 = "Inject::InjectProcess()"
$i4 = "Inject::InjectImageToProcess()"
$i5 = "Drop::InjectStartThread()"
// UAC bypass
$uac1 = "ExploitMS10_092"
$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
condition:
2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: Legitimate scheduled job using schtasks.exe to run a script that injects into a system process
Filter/Exclusion: Check for schtasks.exe with command line containing .vbs or .ps1 scripts, and ensure the script path is within a known enterprise script directory (e.g., C:\Windows\System32\)
Scenario: System update process using wuauclt.exe that injects into a legitimate service process during patching
Filter/Exclusion: Filter out processes associated with Windows Update (wuauclt.exe, svchost.exe) and check for presence of known update-related registry keys or scheduled tasks
Scenario: Admin task using taskmgr.exe to inject into a remote process for remote debugging or troubleshooting
Filter/Exclusion: Exclude processes initiated from known admin tools (taskmgr.exe, msconfig.exe) and verify the process injection is within a trusted network or internal IP range
Scenario: Security software using Process Explorer or Procmon to inject into a process for monitoring or analysis
Filter/Exclusion: Filter out processes associated with known security tools (Process Explorer.exe, Procmon.exe) and check for presence of enterprise security tool directories
Scenario: Legitimate remote management tool like PsExec or Psexec.exe used to inject into a remote system for administrative tasks
Filter/Exclusion: Exclude processes initiated by PsExec or similar tools and verify the source IP is within the enterprise’s allowed remote management network range